Hackers Claim to Have 12 Million Apple Device Records

Nicole Perlroth, New York Times

Tuesday, 4 Sep 2012 | 3:44 PM ETThe New York Times

SHARES

Michael Nagle | Stringer | Getty Images News

iPhone 4S

Hackers have released a file that they say contains more than one million identification numbers for Apple iPhones, iPads and iPod Touch devices. They claim to have obtained the file by hacking into the computer of a federal agent.

The hacking group, known as AntiSec — a subset of the loose hacking collective known as Anonymous — posted copies of the file on Sunday and, in an online message, claimed to have a total of more than 12 million Apple identification numbers and associated personal data in their possession. They said they obtained the file in March by hacking into the laptop of a Federal Bureau of Investigation agent in the bureau’s New York field office.

Apple’s unique device identifiers, known as UDIDs, are strings of letters and numbers assigned to Apple devices. On their own, they are not of much value to hackers, but stitched together with other data — name, e-mail address, ZIP code, date of birth or driver’s license, for example — they can be used to compile a profile of a person that could be used to, say, answer their online security questions.

Apple has recently moved away from letting its app developers use device identifiers to make it harder for marketers to tie that that information to other data and track users across apps. Steve Dowling, an Apple spokesman, did not return requests for comment.

“A UDID is just a jumble of digits,” said Jim Fenton, the chief security officer of OneID. “It is only powerful when it is aggregated with other information.”

In their statement on the bulletin board PasteBin, the hackers said that they had obtained a file with “a list of 12,367,232 Apple iOS devices, including Unique Device Identifiers (UDID), user names, name of devices, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”

Of the file posted online, only a few identifiers were tied to e-mail addresses, apparently because the device’s owner chose to use an e-mail address when naming the device.

The hackers claimed to have obtained the file from the computer of Christopher K. Stangl, a member of the F.B.I.’s Cyber Action Team. A spokesman for the F.B.I. did not immediately comment on the reported breach, but security experts said the file could have been obtained from anywhere.

“There are a million ways this could have happened,” said Marcus Carey, a researcher at Rapid7. “Apple could have been breached. AT&T could have been breached. A video game maker could have been breached. The F.B.I. could have obtained the file while doing forensics on another data breach.”

The hackers said, in their statement, that no other file on the breached computer had mentionioned the list of unique identification numbers or its purpose.

For now, Mr. Carey said that without more information, the breach posed little danger to those whose identification numbers had been exposed. “This is smoke, not fire,” Mr. Carey said. “This poses very little risk. None of this information could be used to hack someone or launch an attack.”